openbsd/pf.html


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151

<!DOCTYPE html>
<html dir="ltr" lang="en">
    <head>
        <meta charset='utf-8'>
        <title>1.1. Install OpenBSD notes</title>
    </head>
    <body>

        <a href="index.html">OpenBSD Index</a>

        <h1>1.1. Install OpenBSD notes</h1>

        <p>Quick introduction to Packet Filter</p>

        <h2>Packet filter</h2>

        <p>Packet filter or pf is the  system that controls the flow of packets, read more about it on OpenBSD faq and it's man page.</p>

        <p>As a service can be enable or disable with rcctl or by pfctl program. PF uses /etc/pf.conf as it's main configuration file, after boot can load more rules from other files if needed.</p>


        <h2>Configuration</h2>

        <p>To setup a simple  firewall edit /etc/pf.conf, default comes with very simple rules;</p>

        <pre>
        # $OpenBSD: pf.conf,v 1.55 2017/12/03 20:40:04 sthen Exp $
        #
        # See pf.conf(5) and /etc/examples/pf.conf

        set skip on lo

        block return	# block stateless traffic
        pass		# establish keep-state

        # By default, do not permit remote connections to X11
        block return in on ! lo0 proto tcp to port 6000:6010

        # Port build user does not need network
        block return out log proto {tcp udp} user _pbuild
        </pre>

        <p>This configuration allows incoming connections and outgoing connections except for was is commented such as X11 or user that port system runs under when building.</p>

        <h2>Control</h2>

        <p>After boot PF operation can be managed using pfctl;</p>

        <pre>
        pfctl -f  /etc/pf.conf    Load the pf.conf file
        pfctl -nf /etc/pf.conf    Parse the file, but don't load it
        pfctl -sr                 Show the current ruleset
        pfctl -ss                 Show the current state table
        pfctl -si                 Show filter stats and counters
        pfctl -sa                 Show EVERYTHING it can show
        </pre>

        <h2>Logs</h2>

        <p>Documentation tells that when logging a packet a copy of it's header is sent to pflog interface with additional data such as the interface, action pf took, etc.</p>

        <p>pflog interface allows user space applications to receive this data from the kernel. At boot when pf is enabled pflogd is also started and by default listens on pflog0 and writes to /var/log/pflog file.</p>

        <p>To read log file;</p>

        <pre>
        # tcpdum -n -e -ttt -r /var/log/pflog
        </pre>

        <p>To read log in real time;</p>

        <pre>
        # tcpdump -n -e -ttt -i pflog0
        </pre>


        <h2>Simple firewall</h2>

        <p>Simplified syntax for filter rules is;</p>

        <pre>
        action [direction] [log] [quick] [on interface] [af]
        [proto protocol] [from src_addr [port src_port]]
        [to dst_addr [port dst_port]] [flags tcp_flags] [state]
        </pre>

        <p>Start changing default configuration by setting "default policy to deny" and to log all packets. Change configuration file to contain first filter rule;</p>

        <pre>
        int_if  = "re0"
        lan_net = "10.0.0.0/24"

        set skip on lo

        # scrub incoming packets
        match in all scrub (no-df)

        set block-policy drop # block silenty 
        block drop log all    # block and log everything

        # activate spoofing protection for all interfaces
        block in quick from urpf-failed

        # allow out dns
        pass out on $int_if proto udp to 10.0.0.254 port domain

        # allow out ntp
        pass out on $int_if proto udp to any port ntp

        # allow out https
        pass out on $int_if proto tcp to any port 443

        # allow out ssh
        pass out on $int_if proto tcp to any port { 22, 2222 }

        # allow in ssh
        pass in log on $int_if proto tcp from any to 10.0.0.10 port 22

        # do not permit remote connections to X11
        block in on ! lo0 proto tcp to port 6000:6010

        # port build user does not need network
        block out log proto {tcp udp} user _pbuild    
        </pre>

        <p>To reload configuration file;</p>

        <pre>
        # pfctl -f /etc/pf.conf
        </pre>

        <p>See what ports are open;</p>

        <pre>
        # netstat -na -f inet | grep LISTEN
        </pre>

        <p>Check rules;</p>

        <pre>
        # pfctl -sr
        </pre>

        <a href="index.html">OpenBSD Index</a>
        <p>This is part of the LeetIO System Documentation.
        Copyright (C) 2021
        LeetIO Team.
        See the file <a href="../fdl-1.3-standalone.html">Gnu Free Documentation License</a>
        for copying conditions.</p>
    </body>
</html>